>From what I can tell the SNI is not added for cache peers. In
Ssl::PeerConnector::initializeSsl if "peer" is set then the call to
Ssl::setClientSNI is skipped. Also the SSL context doesn't have the hostname
or a callback set, and sslCreateClientContext doesn't appear to be able to
set it either.
I've tested with a quick patch which appears to the fix the issue: (however
I feel it should take into account the forcedomain option as well)
diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index f5d4c81..178c685 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -133,6 +133,7 @@ Ssl::PeerConnector::initializeSsl()
if (peer) {
SBuf *host = new SBuf(peer->ssldomain ? peer->ssldomain :
peer->host);
SSL_set_ex_data(ssl, ssl_ex_index_server, host);
+ Ssl::setClientSNI(ssl, host->c_str());
if (peer->sslSession)
SSL_set_session(ssl, peer->sslSession);
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-proxy-for-HTTPS-cloudfront-server-tp4681533p4681542.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
